Controlling passively-quenched single photon detectors by bright light 
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Single photon detectors based on passively-quenched avalanche photodiodes can be temporarily 
blinded by relatively bright light, of intensity less than a nanowatt. I describe a bright- light regime 
suitable for attacking a quantum key distribution system containing such detectors. In this regime, 
all single photon detectors in the receiver Bob are uniformly blinded by continuous illumination 
coming from the eavesdropper Eve. When Eve needs a certain detector in Bob to produce a click, 
she modifies polarization (or other parameter used to encode quantum states) of the light she sends 
to Bob such that the target detector stops receiving light while the other detector(s) continue to 
be illuminated. The target detector regains single photon sensitivity and, when Eve modifies the 
polarization again, produces a single click. Thus, Eve has full control of Bob and can do a successful 
intercept-resend attack. To check the feasibility of the attack, 3 different models of passively- 
quenched detectors have been tested. In the experiment, I have simulated the intensity diagrams the 
detectors would receive in a real quantum key distribution system under attack. Control parameters 
and side effects are considered. It appears that the attack could be practically possible. 
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I. INTRODUCTION 

Quantum key distribution (QKD) is a technique that 
allows remote parties to grow shared secret random key 
material at a steady rate, using an insecure optical com- 
munication channel and an authenticated classical com- 
munication channel [TJ [2] • Since a tabletop demonstra- 
tion nineteen years ago pQ , QKD has progressed to com- 
mercial devices working over tens of kilometers of op- 
tical fiber [3] and many long-distance experiments. Key 
transmission over more than a hundred kilometers of fiber 
[U [S], 23 km and 144 km of free space [51 [5] has been 
demonstrated. As QKD enters commercial market, it be- 
comes increasingly important to verify the actual level of 
security in its implementations, and search for possible 
loopholes. 

QKD has been proven to be unconditionally secure for 
certain models of equipment that include most common 
imperfections of components [9]. However, it remains a 
challenge to build a system that is demonstrably in strict 
accordance with the model in the security proof. Discov- 
ering and patching loopholes and imperfections of com- 
ponents is an ongoing process [lOj [HJ [12j [13l [14] . Once 
found, such imperfection affecting security can either be 
integrated into the unconditional proof, neutralized by 
a specific coutermeasure, or avoided through a rational 
choice of components, optical scheme and QKD protocol. 

When treating security of QKD, we follow Kerckhoffs' 
principle: "The system must not be required to be secret, 
and it must be able to fall into enemy's hands without 
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causing inconvenience" [151 . This principle, embraced in 
the classical cryptography since the 19th century, means 
Eve is assumed to know everything about Alice's and 
Bob's equipment. Thus, Eve can fully exploit every im- 
perfection that exists in legitimate parties' hardware and 
software. Although it's tempting to assume Eve might 
not know the type of equipment or its exact parameters, 
the history of cryptography shows she will eventually find 
this out. In QKD, practical ways of measuring unobtru- 
sively equipment parameters of a running cryptosystem 
may exist as well [12] . 

In this paper, I report an imperfection found in single 
photon detectors (SPDs) of one particular type, namely 
those based on passively-quenched avalanche photodi- 
odes (APDs). This particular type of SPD is used in 
probably about 10% of all QKD implementations re- 
ported up to the date. Since the passive quenching is 
most suited for silicon APDs, the majority of the possibly 
affected systems are free-space QKD experiments doing 
optical transmission in the 500-900 nm wavelength range; 
they are listed in Sec.[V] The current commercial devices 
working at longer telecommunication wavelengths [3] are 
not affected by this paticular vulnerability, because they 
use another type of SPD, a gated APD. 

II. BLINDING AND CONTROLLING A 
PASSIVELY-QUENCHED SINGLE PHOTON 
DETECTOR 

Passive quenching is the oldest and simplest possi- 
ble circuit design in SPDs based on APDs [T5J [T7j . 
Beyond the useful photon counting rate range, passively- 
quenched SPDs exhibit saturation and blinding behavior. 
Fig. [T] illustrates this on the example of three different 



2 




CW optical power at the APD, W 



FIG. 1: Detector saturation curves. Model 1: do-it-yourself design by C. Kurtsiefer and his coworkers (currently used in several 
laboratories; the sample tested was assembled at the Laboratory of spontaneous parametric down-conversion at the Moscow 
State University). Model 2: EG&G SPCM-200-PQ (industrially produced in the 1990s). Model 3: four detectors used in Bob 
in a daylight free-space QKD system |18| (entire Bob is pictured in the inset; curves for model 3 reprinted from [19]). The dark 
count rate is around 100 counts per second (cps) for model 1, around 50 cps for model 2, and in the 900-2100 cps range for 
model 3. 



SPD models I have tested. Up to a certain point different 
for each SPD model, their count rate increases approx- 
imately linearly with intensity of CW illumination. At 
higher input light intensities, the count rate saturates, 
reaches the peak value different for each model, and be- 
gins to drop. It drops to exactly zero at 10 pW input 
power (at 820 nm wavelength) for model 1, at 280 pW (at 
780 nm) for model 2, and at intermediate power values for 
the four tested detectors of model 3. The shapes of the 
saturation curves are similar for all the tested detector 
models. This suggests that the saturation and blinding 
is generic to the passively-quenched detector design. For 
the rest of this paper (except Sec. IV B I, characteristics 



of the model 1 arc given in all examples, while the mod- 
els 2 and 3 are implied to exhibit the same behavior with 
different values of parameters. 

To explain the blinding behavior, let's consider the cir- 
cuit diagram of the detector model 1 (Fig. |2|. The Si 
APD (PerkinElmer C30902S) is biased six to ten volts 
above its breakdown voltage from a high-voltage source 
via a 360 kfi resistor. The circuit works thanks to the 
presence of two stray capacitances of the order of 1 pF 
each, shown in the circuit diagram. When there is no 
current flowing through the APD, both capacitances are 
charged to the bias voltage. During an avalanche, they 
quickly discharge through the APD, producing a short 
current pulse. The discharge current of the leftmost ca- 
pacitance is converted into voltage at a 100 f2 resistor, 
and this voltage is sensed by a fast ECL comparator 
(MC100EL16). The short output pulse of the comparator 



is widened to about 10 us by a non-retriggerable monos- 
table multivibrator. The current pulse produced during 
the avalanche is on the order of 1 ns wide. When the volt- 
age at the APD drops sufficiently close to the breakdown 
voltage, the avalanche quenches. The capacitances are 
subsequently slowly recharged through the bias resistor, 
with a recharge time constant on the order of 1 us. 

Until the capacitances recharge to a certain thresh- 
old voltage, which in our detector sample takes about 
1 us, the detector has no single photon sensitivity. (Af- 
ter 1 us, it increases its quantum efficiency gradually as 
the voltage continues to rise.) However, a photon coming 
during the first microsecond may still cause an avalanche 
with a smaller peak current, not reaching the comparator 
threshold [17] • Such small avalanches reset the voltage 
and can keep the detector blinded indefinitely if they oc- 
cur often enough. This is the primary blinding mecha- 
nism in the passively-quenched detectors. Additionally, 
heating of the APD chip can contribute to the blind- 
ing. At 10 pW input optical power, the average electrical 
power dissipated in the APD is measured to be 5.7 mW. 
PerkinElmer C30902S APD is reported to have a high 
thermal resistance between the chip and the package |20j . 
The measured electrical power may raise the chip tem- 
perature by several degrees. This rise in temperature 
would increase the breakdown voltage by several volts, 
which could be a contributing factor to the blinding. 

In applications of SPDs, the non-linearity of the re- 
sponse is undesirable |17] . Typically a detector is consid- 
ered usable only in the mostly linear portion of its char- 
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FIG. 3: Control diagrams for detector model 1: (a) input 
intensity diagram that keeps the detector completely blinded 
at all times (no output pulses); (b) input intensity diagram 
that produces a single output pulse with probability greater 
than 0.8, right after the end of the 2 u.s gap. The actual 
input intensity on both diagrams may take any shape within 
the hatched area. 



FIG. 2: Detector model 1: (a) equivalent circuit diagram; 
(b) current through the APD and voltage at the APD during 
an avalanche and subsequent recharge. 

acteristic, located to the left of the saturation peak in 
Fig. [I] Detect ors are never used beyond their saturation 
point. The following might be the first "useful applica- 
tion" I have found for the beyond-saturation regime. In 
doing an attack against a QKD system, Eve may blind 
Bob's SPDs by delivering constant illumination higher 
than 10 pW to each of them. However, by introducing a 
gap in which the intensity of illumination drops to zero 
at one of Bob's SPDs, she may induce an output pulse 
at that SPD. 

Let's first consider how Eve can control a single SPD. 
Experimental tests made on the detector model 1 have 
demonstrated that the control diagrams shown in Fig. [3] 
can be used. When the power of input illumination P opt 
stays within the range depicted in the diagram (a), the 
SPD is kept blinded. However, in the diagram (b), af- 
ter the light is switched off, the capacitances in the SPD 
have time to recharge and it becomes sensitive to sin- 
gle photons. When the light is switched on 2 later, 
the SPD produces a single photon count with probability 
greater than 0.8 (or no click in the remaining fraction of 
the cases), and after that becomes blinded again. I have 
only tested power values up to 400 pW with this detec- 



tor model; however the upper border of the power range 
could probably be extended much higher than 400 pW 
without causing any new effects. Experimental tests 
of the detectors are treated in more detail later on, in 
Sec. El 



III. PROPOSED ATTACK AGAINST QKD 
SYSTEM 

With the detector control method described above, 
Eve can attack a complete QKD system. In a QKD sys- 
tem, Bob has several detectors and/or makes a choice 
of detection basis. Eve needs a way to cause a click 
in a specific detector in a specific basis of her choice, 
without causing a click in the other detector (s) nor in a 
different basis. I initially explain the attack on an ex- 
ample of a system with polarization coding and active 
basis choice at Bob that runs the Bennett-Brassard 1984 
(BB84) protocol [TJ 121] . In such a system, input light 
at Bob first passes through a modulator that, at Bob's 
random choice, either does nothing or rotates any input 
polarization state 45° clockwise, thus setting one of the 
two possible detection bases (Fig.[4ja)). After the modu- 
lator, light is split at a polarizing beamsplitter PBS. The 
vertical component of polarization goes to the detector 
DO and horizontal component goes to the detector Dl. 
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FIG. 4: Proposed attack against a QKD system that uses two 
model 1 detectors: (a) equivalent optical scheme of Bob's 
setup; (b) scheme of the faked-state attack; (c) faked state 
sent by Eve in case of her detection in the 0° basis with the 
result DO, and the intensity diagrams that result at Bob's 
detectors for his two possible basis choices. Optical losses 
in components are neglected; in the presence of losses, Eve 
should send a proportionally brighter faked state. 



Eve runs an intercept-resend attack (faked-state at- 
tack [12] ) against this system. In the faked-state attack, 
she blocks the light between Alice and Bob completely 
(Fig. |4jb)). Eve uses a replica of Bob's setup Bob' to 
detect Alice's quantum state, choosing the detection ba- 
sis at random. Then, Eve forces Bob to make a click in 
her basis only and with the same bit value as she has 
just detected. (This is the difference between the con- 
ventional intercept-resend attack [T] and the faked-state 
attack |12J : in the latter, the basis and bit value of Bob's 
detector click is always the same as Eve's, thus the attack 
does not cause errors in the sifted key and eavesdropping 
is not detected.) Eve forces a click in the selected basis 
with the specific bit value by sending to Bob a specially 
crafted light state called faked state, using her faked state 
generator FS. The faked state exploits technological im- 
perfections in Bob to achieve its goal. In the present 
study, it will exploit detector controllability. 

Let's suppose for certainty that Eve has detected Al- 
ice's quantum state in the 0° basis and registered a click 
in her DO detector. She now has to form and send to 
Bob a faked state. The faked state should cause a click 
in Bob's DO detector in the case Bob chooses the 0° ba- 
sis (the same basis as Eve has used), and cause no clicks 
in either of Bob's detectors in the case Bob chooses the 
45° basis (not the basis Eve has used). The faked state 
that reaches this goal consists of an incoherent mixture 
of vertical and horizontal polarization components, with 
an intensity diagram for each polarization component as 
shown in the upper half of Fig. |4}c). The lower half 
of Fig. |4jc) shows what happens to this faked state in 
Bob's setup. If Bob chooses the 0° basis, his modula- 
tor does nothing and the two polarization components of 
the faked state are split each to its own detector. The 
intensity diagram of the vertical polarization component 
causes a click in DO with probability greater than 0.8 (for 
the gap width of 2 us). The intensity diagram of the hor- 
izontal polarization component keeps Dl blinded. If Bob, 
however, chooses the 45° basis, each polarization compo- 
nent is rotated 45° and is split equally at the polarizing 
beamsplitter. The halves of the two polarization com- 
ponents sum at each detector, resulting in identical in- 
tensity diagrams that keep both detectors blinded. Eve's 
three other possible bit-basis detection results are treated 
symmetrically. Thus, my faked-state attack succeeds. 

The reader may notice that the probability of a faked 
state sent by Eve to cause a click at Bob is %p = 0.4. 
Many realistic Bobs have overall photon detection effi- 
ciency less than 40%, mainly due to limited quantum 
efficiency of the APDs. For these Bobs, Eve can mimic 
their detection rate before the attack, provided she uses 
ideal SPDs with 100% quantum efficiency and zero-loss 
optics in Bob'. However, I want my attack not only be 
possible in principle, but implementable in practice, to- 
day. For that, Eve cannot uses non-existent ideal detec- 
tors. It would also be impractical for her to use exotic 
high quantum efficiency detectors working at cryogenic 
temperatures. Most practical for Eve would be to use a 
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copy of actual Bob's setup for her Bob', maybe with lim- 
ited improvements. In this situation, Bob will observe 
loss of detection efficiency under attack, which equiva- 
lently appears to him as a sudden 4 dB additional loss 
in the line, and may trigger a security alarm. However, 
this would be a solvable problem for Eve in most of the 
real situations, because loss in the transmission line be- 
tween Alice and Bob almost always exceeds 4 dB. Eve 
may place her detection unit closer to Alice. Thus, she 
excludes the loss in the length of the line between her 
detection unit and Bob. This compensates the reduced 
"detection efficiency" of her faked states at Bob. Eve 
could also try to improve quantum efficiency of her de- 
tectors and reduce losses in Bob' comparing to those of 
Bob's setup. In free-space QKD, the losses Eve could try 
to reduce would include the coupling loss from Alice's 
free-space beam into the receiver telescope. 

My attack is applicable to different protocols and 
schemes, when they use vulnerable detectors. The at- 
tack clearly applies to schemes with passive basis choice 

at Bob [SI m El UHl Ea [23J EH EH Eg EH EH 1291 EOl EI] . 

For these schemes, Eve should double the intensity of 
her faked states. The random basis choice by Bob is re- 
moved: Eve always gets to choose the basis for him. In 
the case of the BB84 protocol, the four cells in the ta- 
ble in Fig. [4^c) represent the intensity diagrams at the 
four Bob's detectors. This is the case described in the 
abstract of this paper. 

Besides polarization, another coding widely used in 
QKD is phase coding [321 |33j- If a scheme with phase 
coding employs vulnerable detectors, this attack can be 
run against it. For phase coding Eve shall, instead of the 
polarization components shown in Fig. |4^c), use compo- 
nents of faked state with and it phase differences be- 
tween the arms of the interferometer. The attack will also 
work on systems using the Scarani-Acin-Ribordy-Gisin 
2004 (SARG04) protocol [34] and most of the decoy- 
state protocols [5J El [55J as long as Bob is using 
passively-quenched detectors. The decoy-state protocols 
referenced above do not help the legitimate users against 
this attack, because Eve does not measure photon num- 
ber. She detects Alice's states with a faithful replica of 
Bob's setup and then simply forces her detection results 
onto Bob as transparently as she can. At last, this at- 
tack is also applicable to the Bennett 1992 (B92) proto- 
col |311 133 IMl US SB HI |H US], to the Ekert protocol 
[H1HS], to the six-state protocol [3S] and, under certain 
conditions, to secret sharing schemes [47] . 

For a practical implementation of the attack, it is im- 
portant to consider all side effects it causes, and how to 
work them around so that Alice and Bob are not alarmed. 
One side effect, the less-than-unity "detection efficiency" 
of the faked states at Bob, has been discussed above. 
Another side effect is the replacement of dark counts of 
Bob's detectors with dark counts of Eve's detectors. Dur- 
ing the attack, Eve keeps Bob's detectors blinded when 
she is not sending faked states. Thus, they do not pro- 
duce spontaneous counts. Instead, Eve has dark counts 



in her detectors which she cannot distinguish from Al- 
ice's photons. She passes them on to Bob as faked states. 
Eve's detectors may have a lower ratio of dark counts to 
photon counts than Bob's. Eve is certainly allowed to 
achieve this in practice, either by using better detectors 
or by placing them closer to Alice (which she may have to 
do anyway). This may cause an overall reduction in the 
quantum bit error rate (QBER) experienced by Alice and 
Bob, and be noticed by them. If this becomes a prob- 
lem, Eve can emulate additional dark counts by sending 
random faked states to Bob at random times. Similarly, 
optical imperfections at Bob that originally contributed 
to the QBER get replaced by the optical imperfections 
in Eve's copy of Bob's setup. (However, the optical im- 
perfections at Bob may still make some contribution to 
the QBER through timing side effects during the attack, 
as will be shown in the next section.) 

Side effects may arise when Eve begins and ends the at- 
tack. When she goes into the control mode by switching 
on the constant illumination, Bob's detectors will each 
produce a single click. These initial clicks at the begin- 
ning of the attack may register as one or more error bits 
in the key. However, this should not be a problem as long 
as Eve does not switch in and out of the attack mode too 
frequently. At the end of the attack, when Eve switches 
off the illumination, no extra clicks are produced except 
for maybe afterpulses with slightly increased probability 
than normal. Thus, at least in principle, Eve can begin 
and end this attack on a running quantum cryptolink. 

Another side effect is the additional delay in the quan- 
tum channel caused by Eve. The major component of 
this delay is the gap width in the faked state. Eve be- 
gins forming the faked state immediately after detecting 
Alice's quantum state. However, the actual click at Bob 
occurs at the end of the gap, which comes 2 us later. 
Thankfully, the time on Alice's and Bob's clocks is not 
authenticated in the QKD protocol. Many of the possibly 
affected QKD systems (listed in Sec.|v]) measure the time 
difference by the time of arrival of quantum states to Bob. 
In these systems, the additional 2 us delay will easily be 
absorbed by the time synchronization algorithm. In case 
the delay ever becomes a problem for Eve, she may try 
a slightly different tactics. Eve could begin sending to 
Bob a faked state for a particular bit-basis combination 
before she actually detects it. Then, when she detects 
Alice's quantum state in this bit-basis combination, she 
instantly ends the gap and finishes the faked state. As 
will be shown in the next section, the gap in the faked 
state can be of variable width, so this tactics might work. 

Finally, Eve must take into account two practical limi- 
tations of the hardware. One limitation is a finite extinc- 
tion ratio of Bob's PBS, as well as Eve's finite precision 
in forming polarized light with exact parameters of po- 
larization. The resulting imperfect splitting of the two 
faked state components at Bob's PBS leads to non-zero 
optical power in the gap on the control intensity diagram 
of the target detector. Another limitation is the time 
distribution of detector counts induced immediately af- 



6 



ter the end of the gap. This time distributon has a non- 
negligible width. These two limitations and their effects 
on the attack are considered in the next section. 



IV. DETECTOR TESTS 

In this section, I mainly consider time distribution of 
clicks induced by faked states. Many of the possibly 
affected QKD systems register timing of detector out- 
put pulses with sub-nanosecond precision. The width of 
Bob's time bin in which clicks are accepted as belong- 
ing to a particular Alice's qubit can be on the order of 
a nanosecond. Ideally, Eve's faked state should induce a 
click with sub-nanosecond time precision, to target the 
qubit time bin. However, as the tests show, the actual 
time distribution of the induced clicks is much wider. 

The experimental tests of three different detector mod- 
els are reported below. 



A. Detector model 1 

This detector model is based on a solder-it-yourself 
printed circuit board developed by C. Kurtsiefer and his 
coworkers. Being a low-cost, simple and compact design, 
it is used in several laboratories around the world. The 
equivalent diagram of the signal part of the circuit is 
shown in Fig. |2ja). The particular sample I have tested 
features multivibrator pulse duration of about 10 |as, 
while it is usually made orders of magnitude shorter in 
this circuit. 

The detector has been tested under input illumina- 
tion time diagram shown in Fig. [5] Laser illumination 
at 820 nm wavelength was applied uniformly over the 
entire photosensitive area of the APD 0.5 mm in diame- 
ter. 1 The optical power values P op t are calculated as the 
total power impinging on the photosensitive area. I have 
tested the detector at both zero and non-zero power level 
in the gap P opt . i ow . 

Figure (6^a) shows a typical time distribution of the 
SPD output pulses, and what effects non-zero power in 
the gap has on this time distribution. During approxi- 
mately the first 1 (is of the gap, the SPD does not pro- 
duce output pulses at all. After 1 us, some premature 
output pulses appear. When there is no illumination in 
the gap (P pt. low = 0), the average rate of these pulses 
is, at the parameters for which the chart is plotted, be- 
tween three and four times the normal dark count rate (of 
about 100 cps). After the end of the gap, there is a main 
response peak of a certain width. Non-zero illumination 
in the gap causes two effects. Firstly, the probability of 
premature output pulses greatly increases, as can be seen 




1 A detailed description of the testing setup can be found in the 
first version of this article, arXiv:0707.3987vl [quant-ph]. 



FIG. 5: Detector model 1. Control intensity diagram during 
testing. It was applied at 1 kHz repetition rate. 



on the P opt . iow = 0.2 pW curve. Secondly, the probabil- 
ity of output pulses in the main response peak decreases. 

The width of the main response peak can be reduced 
by increasing P op t. high, as shown in Fig. |6^b). 5 ns full 
width at half maximum (FWHM), or 10 ns width as mea- 
sured near the base of the peak at the 2% magnitude 
level, has been achieved at P op t. high = 400 pW. The 
width could likely be decreased further at higher levels 
of P op t. high! however, I did not test beyond 400 pW with 
this detector model. The detector response in the main 
peak is a single-photon click, as suggested by the expo- 
nentially decaying tail of the time distribution and by 
an estimate of the number of photons impinging on the 
APD in a unit of time. It is possible that multi- photon 
effects influence the time distribution at higher levels of 
-Popt. high! however there was no practical way of testing 
this. I have not investigated which effect is responsible 
for the gradual rising edge of the main response peak in 
this test. 

As you see, the total width of the time distribution, 
including the premature clicks, is more than a microsec- 
ond. The practical significance of this wide time distri- 
bution varies a lot depending on how Bob treats clicks 
falling outside his qubit time bin (which is always much 
narrower than a microsecond). If all or most of these 
clicks are simply disregarded by him, this is not much of 
a problem for Eve. In this case she only faces an addi- 
tional reduction in the "detection efficiency" of her faked 
states at Bob, which could be compensated as discussed 
in the previous section. If, however, clicks registered by 
Bob outside the proper qubit time bin contribute to the 
QBER (by falling into adjacent qubit time bins) or trig- 
ger an alarm condition, then Eve faces more stringent 
requirements. How these clicks are actually treated de- 
pends on implementation details and algorithms in each 
particular QKD system under attack, which I do not con- 
sider here. The relevant implementation details are usu- 
ally not reported in papers to the required extent, so 
experimenting with each QKD system will be necessary. 

We can still estimate how bad this problem can be 
by considering one of the worst possible cases for Eve. 
While the width of the main response peak can be re- 
duced by increasing P op t. high, the premature counts in 
the gap are always distributed over a wide time span. I 
assume that all these premature counts fall into wrong 
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FIG. 6: Detector model 1. Time distributions of pulse's 
leading edge at the detector output, when Eve controls it 
by constant illumination with an approximately 2 ^.s wide 
gap: (a) time distributions for zero and non-zero P op t. low (at 
Popt. high = 13 pW); (b) time distributions in the main re- 
sponse peak for a range of P op t. high values (at P op t. low = 0). 
On the charts, t = approximately corresponds to the start 
of the gap in illumination; the main response peak begins just 
after the end of the gap. 



qubit time bins at Bob. This can happen in a high-speed 
QKD system with qubit time bins following each other 
with no gaps between them, and passive basis choice at 
Bob. In the BB84 protocol, a count falling into a wrong 
qubit bin has 25% chance of causing an error in the sifted 
key (a combination of 50% chance of being in a compat- 
ible basis and 50% chance of having a wrong bit value). 
At the same time, I assume that all counts in the main 
peak fall into the proper time bin and register as error- 
free key bits. To avoid being discovered, Eve needs to 
maintain the QBER at approximately the same level as 
before her attack. The premature counts are caused by 
non-zero optical power in the gap, which is caused in part 
by imperfect optical alignment between Eve and Bob. To 



Width of the gap in illumination, us 

FIG. 7: Detector model 1. Eve's probability of producing a 
pulse at the detector output vs. width of the gap in illumina- 
tion (at Popt. low = 0). 



estimate the required quality of optical alignment, I've 
measured time distributions at several values of P op t. low 
(at P opt . high = 13 pW and gap width of 2 us). From 
the obtained data, I've calculated the probability ratio 
of having a premature click to having a click in the main 
response peak, for each used value of P op t. low The mea- 
surement has shown that this probability ratio rises ap- 
proximately linearly with P op t. low If we additionally 
assume that this effect is the main contribution to the 
QBER and that Eve uses the intensity diagrams with 
power levels as given in Fig.[4jc), then the measurement 
data suggest 
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where r e is an extinction ratio between Bob's two detec- 
tors in the target basis achieved by Eve. Thus, to match 
values of the QBER in the 2-5% range typically observed 
in QKD systems, Eve may need to achieve r e in the 19- 
23 dB range (or higher if other sources of errors are sig- 
nificant). This would be possible if the native extinction 
ratio of Bob's PBS exceeds r e ; this depends on the type 
of PBS used. Then, Eve would face a rather strong but 
probably realistic requirement on the precision of her po- 
larization alignment. To narrow down the assumptions 
made in this assessment one would need to analyse and 
attack a concrete QKD implementation. This could be a 
task for the future. 

Finally, Figure 7 shows how the probability of inducing 
the output pulse depends on the gap width. I have chosen 
the gap width of 2 us for all the other measurements with 
this detector, to achieve the count probability reasonably 
close to 1 without making the gap unnecessarily wide. 
As you can see, the count probability for 2 us or wider 
gap almost does not depend on P op t. high- Interestingly, 
although the count probability exceeds 0.99 at gap widths 
larger than 5 us, it never becomes exactly 1. 

In these measurements, the gap repetition rate was 
1 kHz. However, I have verified that, if necessary, the 
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FIG. 8: Detector model 2. Control intensity diagram during testing. It was applied at 10 kHz repetition rate. 



gap repetition rate can be increased to the limit. When 
the gaps follow each other in close succession (with less 
than 2 us between them), they still cause clicks at the 
SPD output. 



B. Detector model 2 

This detector model is SPCM-200-PQ, industrially 
produced by EG&G in the 1990s. While testing this 
model, I have focused on reducing the width of the main 
response peak. To achieve this goal, an improved control 
intensity diagram shown in Fig.[8]has been used. 780 nm 
illumination formed by mixing signals from two semicon- 
ductor lasers was applied uniformly over the entire pho- 
tosensitive area of the APD 0.15-0.2 mm in diameter. 
The optical power at the APD is kept at the minimum 
blinding level Pblind = 280 pW most of the time. In the 
beginning of the gap, a short brighter pulse A is applied. 
The purpose of this pulse is to discharge the capacitances 
in the SPD to about the same level every time in the be- 
ginning of the gap. Then the recharging process always 
starts at the same voltage and time, which leads to a cer- 
tain voltage being applied to the APD at the end of the 
gap. If the pulse A is absent, the recharge process starts 
at a random time of the last occurrence of avalanche be- 
fore the gap. In this case, the APD voltage at the end 
of the gap varies, which leads to increased jitter in the 
single photon response |17j . The gap ends with another 
brighter pulse B, which guarantees the arrival of the first 
few photons at the APD within a very short time. To 
fulfill this purpose, the pulse B does not have to be long. 
However, the tested detector sample tended to produce 
double output pulses when Pblind was applied near the 
end of its first output pulse. Extending the length of 
the bright pulse B to 200 ns reduced the probability of 
another output pulse appearing after the first one from 
8% to 0.5%. In the 500 ns wide gap, illumination at the 
power level 34 dB below Pblind was applied to the detec- 
tor, to simulate imperfect polarization splitting at Bob's 
PBS. 

The resulting time distribution of the SPD output 
pulses is shown in Fig. [9] At 0.22 uW peak power in the 



fwhm = 



Main peak 
0.92 ns, base width = 
96.4% counts 



4 ns 



Delayed 
1 .7% counts 




t, ns 



FIG. 9: Detector model 2. Time distribution of pulse's lead- 
ing edge at the detector output, when Eve controls it by an 
intensity diagram in which both parts A and B are present, 
at P+ = 784 • Pblind = 0.22 u.W. 



optical pulses A and B, the main response peak on the 
time distribution is 0.92 ns wide. The familiar premature 
counts in the gap are present on this time distribution, 
as well as delayed counts after the main peak. The latter 
can probably be attributed to small avalanches occurring 
early in the gap, resulting in delayed detector response 
after the end of the gap. The total probability, including 
the premature and delayed counts, of the detector pro- 
ducing a click in response to the control diagram is very 
close to 1. 

The presence of both brighter optical pulses A and B 
on the control diagram is necessary to achieve the nar- 
rowest width of the main response peak. Figure 10 shows 



how the width depends on the presence of each of these 
pulses and on the peak power in them. 



C. Detector model 3 

This detector model is used in a compact passive po- 
larization analyser module in Bob in a daylight free-space 
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By how many times P+ exceeds Pbiind 

FIG. 10: Detector model 2. Width of the main response peak 
vs. excess optical power P+ in the parts A and B of the control 
intensity diagram. Three cases are charted: only part A is 
present on the control diagram (while B is not), only part B is 
present (while A is not), and both parts A and B are present 
simultaneously. Note that the leftmost point on the "only A" 
curve corresponds to roughly the same shape of the control 
diagram as was used for testing the detector model 1: a gap 
in constant illumination at the minimum blinding intensity. 

QKD system [18] . The system has been developed at the 
Centre for quantum technologies in Singapore. We have 
tested all four detector channels. Unlike the previous two 
experiments, in this one we did not have physical access 
to measure absolute power impinging on the APDs. The 
saturation curves for the model 3 in Fig. [I] are scaled 
based on a guess that the detector quantum efficiency in 
the linear part of the curves was around 50%. 

On this QKD system, Q. Liu and myself have demon- 
strated that the Bob control method proposed in Sec. |III| 
works and that the detectors are individually addressable 
with sub-nanosecond jitter. We used polarization faked 
states that resulted in a control intensity diagram at the 
APDs similar to the one in Fig. [8] This will be reported 
in a separate article [TT?] . 

From the experiments reported above, it appears that 
Eve might in practice be able to control passively- 
quenched detectors well enough to attack a real QKD 
system. 



V. POSSIBLY AFFECTED SYSTEMS AND 
COUNTERMEASURES 

Currently there are at least 28 papers reporting differ- 
ent QKD experiments that employ non-gated Si APDs. 
These papers break down as follows. Eight of them re- 
ported the use of passively-quenched APDs [6l [18] E31 [26j 
130] 145] 148] [49] , ten reported the use of non-gated, actively 
quenched APDs [ITJ (311 [33 EH1 SLU SH S21 HS1 EU, 
and another ten did not specify the type of quenching, 



only saying Si APDs or "detectors" (which I assume were 
Si APDs) were used E21 ES E3 EH ESJ EH GEl [53]. I 
have since learned that three of the latter ten experiments 
[7J [5] EH] did in fact use passively-quenched detectors of 
a design very similar to the models 1 and 3 studied in 
this paper. Thus, it appears that passively-quenched and 
actively-quenched Si APDs are equally frequently used in 
QKD experiments. I remark that at least one model of 
actively-quenched Si SPD has been shown vulnerable to 
a somewhat similar attack also involving bright illumina- 
tion [H]. 

Continued frequent use of passive quenching can be ex- 
plained by its practical properties. It is well known that 
an actively-quenched APD delivers superior count rate 
and timing characteristics [T7J[51]. However, a passively- 
quenched circuit is simpler, cheaper, and more versatile; 
the biasing parameters are easy to adjust; a larger photo- 
sensitive area APD can be used than those embedded in 
commercially available actively-quenched detector mod- 
ules. At the same time, the performance of the passively- 
quenched SPD is often adequate for the task. For exam- 
ple, in the 144 km QKD experiments [5J [7] , laboratory- 
made passively-quenched detectors were used because the 
average count rate at Bob was low |55j . 

Unfortunately, none of the 28 experiments in my lit- 
erature sampling seemed to implement any countermea- 
sure against bright-light attacks (with the possible ex- 
ception of Ref. 38 where Eve's illumination might acci- 
dentally cause Bob's separate timing detector to work 
incorrectly) . Neither do I know of any SPD module with 
a specified guaranteed behavor under bright-light illumi- 
nation, or equipped with an extra output that signals 
saturation or blinding. 

It may appear that introducing authenticated timing 
into the QKD protocol can prevent my attack. How- 
ever, Eve can try a slightly different tactics discussed 
in Sec. |III| by starting to form a faked state before the 
actual detection occurs in Bob'. This tactics may in 
practice allow her to mimic the timing of Bob's clicks 
with just a few ns extra delay. Additionally, when the 
QKD system uses optical fiber [26], Eve can gain time 
by routing her classical communication from Bob' to the 
FS (see Fig.gb)) via a radio link in which signals prop- 
agate faster than in the fiber. Authenticated timing does 
not prevent the detector controllability, and thus is not 
a complete solution. 

Other researchers have proposed to equip each SPD 
with a "detector ready" signal that is only present when 
the voltage at the APD guarantees certain minimum 
quantum efficiency [56j . I think, this is a promising idea. 
These "detector ready" signals from all Bob's SPDs can 
be combined on an AND-gate and used to disable/enable 
click recording from all SPDs simultaneously by Bob's 
electronic registration system. Besides preventing the 
bright-light attacks, this would also be useful to thwart 
subtlier exploits. This circuit introduces registration 
blanking time for all detectors simultaneously whenever 
at least one of them is insensitive to photons after an 
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avalanche. Rejecting clicks that occur whenever at least 
one detector is having a deadtime seems to be a necessary 
security measure in any QKD system Additionally, 
this photon registration system can guarantee a certain 
quantified minimum quantum efficiency of each detector 
whenever the system is recording clicks. This guarantee 
may be required by a general security proof that takes 
into account equipment imperfections |57j . 

Once a hack-proofed system is built, it would have to 
be tested thoroughly under bright-light illumination with 
various temporal diagrams over a wide input intensity 
range. Ideally, the testing should include higher input 
power levels up to and above the damage threshold of 
Bob's optics. 

VI. CONCLUSION 

In this paper, I have shown how the saturation and 
blinding behavior of the passively-quenched APD can be 
used to gain control over detectors and stage an attack 
against a QKD system. Passively-quenched detectors of 
three different models have been experimentally tested 
and their control demonstrated by the same method, un- 
der realistic conditions. It would now be interesting to 



demonstrate a complete attack against a running QKD 
system. 
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